Design site to Site VPN w/NAT traversal issue

Hi, I have a number of site to site VPN that end on a PIX. I intend to migrate these VPN to a router that sits on a demilitarized zone connected to the PIX. Before doing that I'm going to set up a private network new virtual to end on the router but I also need than VPNS that end on the PIX to be not affected.

If I configure NAT traversal on the PIX, affected my other VPN?

Thanks in advance

DOM

Hi Dom,

Why do you want to configure NAT-Traversal on PIX, if you wish to terminate your VPN router (which is on the DMZ).

Do you do any NAT on PIX thru the router?

If you want to configure NAT-Traversal, it must be configured on the end (on the router in your case) devices.

Example:

When a user with Cisco client or Cisco router behind NAT wants to connect to another device (such as PIX, ASA, or router) NAT - T must be configured on the machine (which will be the PIX or ASA)

Hope that helps.

* Please indicate the post

Tags: Cisco Security

Similar Questions

  • Site to Site VPN IPsec IPv6 on issue of routers-Tunnel

    Hi, I am experiencing a problem can any one address the question below and let me know the solution. I have two routers and try to build "Site to Site VPN IPsec IPv6". I followed orders from Cisco and community document but when I apply my profile of ipsec for tunnel interfaces, that the tunnel is down.

    https://supportforums.Cisco.com/docs/doc-27009

    Ali,

    VTI tunnels are meant to be broken when there is no active negotiated spinnakers.

    The tunnel will go towards up/face upwards when there is a means of transport of packages - i.e. the SPIs are present.

    You can control the order spinnakers 'show peer's crypto ipsec '.

    For debugging:

    Debug crypto isa

    Debug crypto ipsec

    M.

  • Ports VPN Client NAT Traversal

    I need to allow access to the PC Firewall etc making PAT running VPN client to a PIX running 6.3 - what ports/protocols should be opened on the firewall etc? As far as I know, it will be UDP port 500 and TCP port 10000 (or all that will be configured on the client). The network will look like this:

    Customer - etc - PIX - Server

    Hello

    they would be:

    UDP 500

    UDP 4500 (NAT - T)

    no need for the tcp port, pix 6.3.1 manages not ipsec/tcp, its only ipsec/udp.

    THX

    AFAQ

  • 2 one-Site VPN Cisco 2801 and with crossing NAT

    Hi guys,.

    I would like to configure two Cisco 2801 using IPSEC/IKE. Both routers are connected to the internet through DSL lines. The DSL line have RFC1918 address side LAN where routers connected to the internet face. I can do NAT on DSL modems.

    Cisco IOS 2801 routers allow to configure site-2-site VPN with NAT crossing?

    Here is a model of physics/IP configuration:

    LAN<->2801 Modem DSL<-Internet->DSL modem<-Priv ip-=""> 2801<-Priv ip-=""><-> LAN

    Thank you

    Gonçalo

    Yes, you're good to go only if one or both of the sites has an IP address which is natted with private IP address statically. The implementation of IPSec on SRI NAT support in most crosses so that shouldn't be a concern

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • Several subnets in the site to Site VPN

    Hi guys,.
    I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
    You can find my design network attach to this subject.
    This is my setup on the ASA:

    (1) NAT excemption for network traffic, go to the Site to site VPN.
    NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
    NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0

    (2) the Accesslist with traffic to encrypt
    object-group network 192.168.10.0
    object-network 192.168.10.0 255.255.255.0

    object-group network 192.168.15.0
    object-network 192.168.15.0 255.255.255.0

    the 192.168.38.0 object-group network
    object-network 192.168.38.0 255.255.255.0

    the 192.168.31.0 object-group network
    object-network 192.168.31.0 255.255.255.0

    object-group network STSVPN-LOCAL
    Group-object 192.168.10.0
    purpose of group - 192.168.15.0

    object-group network STSVPN-US
    purpose of group - 192.168.38.0
    purpose of group - 192.168.31.0

    ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American

    (3) proposal phase 1
    IKEv2 crypto policy 10
    aes-256 encryption
    sha256 integrity
    Group 14
    FRP sha256
    second life 86400

    (4) proposal phase 2
    Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
    Protocol esp encryption aes-256
    Protocol esp integrity sha-256

    (5) group tunnel
    tunnel-group 4.4.4.4 type ipsec-l2l
    tunnel-group 4.4.4.4 General attributes
    Group Policy - by default-GrpPolicy-STSVPN-US
    IPSec-attributes tunnel-group 14.4.4.4
    IKEv2 remote-authentication pre-shared key abcd
    IKEv2 authentication local pre-shared key abcd

    GroupPolicy
    Group Policy GrpPolicy-STSVPN-US internal
    Group Policy attributes GrpPolicy-STSVPN-US
    value of VPN-filter STSVPN-US
    Ikev2 VPN-tunnel-Protocol

    (5) crypto card
    10 CM-STSVPN crypto card matches the address STSVPN-US
    10 CM - STSVPN peer set 4.4.4.4 crypto card
    card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
    interface card crypto INT-STSVPN CM-STSVPN
    Crypto ikev2 enable INT-STSVPN
     
    /////////////////////////////////////////////////////////////////////

    The router configuration:

    (1) part SA

    proposal of crypto ikev2 ki2. PROP
    encryption aes-cbc-256
    sha256 integrity
    Group 14
    IKEv2 crypto policy ki2. POL
    proposal ki2. PROP
    ikev2 KR1 encryption keys
    peer ASALAB
    address 2.2.2.2
    pre-shared key local abcd
    pre-shared key remote abcd
    Profile of crypto ikev2 ki2. TEACHER
    match one address remote identity 2.2.2.2 255.255.255.255
    address local identity 4.4.4.4
    sharing front of remote authentication
    sharing of local meadow of authentication
    door-key local KR1
     
    (2) Transformset

    Crypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
    tunnel mode

    (3) access-list

    IP ACL extended access list. VPNIKE2
    IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
    IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
     
    (5) crypto card

    crypto CM card. 30 VPN ipsec-isakmp
    defined peer 2.2.2.2
    the transform-set TS value. VPN2
    group14 Set pfs
    ki2 ikev2-profile value. TEACHER
    match address ACL. VPNIKE2
     
    //////////////////////////////////////////////////////////////////////

    This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.

    192.168.31.0 subnet cannot communicate with 192.168.10.0
    192.168.38.0 subnet cannot communicate with 192.168.15.0

    Hello Jay,

    I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:

    (1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:

    address for correspondence card crypto 10 CM - STSVPN STSVPN-US

    You must change this setting to avoid any problems with the negotiation of traffic:

    no matching address card crypto 10 CM-STSVPN STSVPN-US

    10 CM-STSVPN crypto card matches the address ACL_STSVPN-US

    (2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:

    access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

    access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN

    Group Policy attributes GrpPolicy-STSVPN-US
    VPN-Filter VPN_filter value

    Keep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.

    (3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.

    ASA:

    card crypto 10 CM-STSVPN set group14 pfs

    Router:

    crypto CM card. 30 VPN ipsec-isakmp

    No group14 set pfs

    Hope this help you to raise the tunnel,

    Luis.

  • 887 site to Site VPN

    Hi all

    After you follow the guides on the site to site VPN and NAT I am very close with this, but suspect a minor error here. It was difficult to apply some of the examples of cisco worked the additional complexity here (VLANS, routing to an address static IP), as well as due to inexperience with some routing commands.

    Requirements:

    -Provide internet access for three local networks (10.10.10.0/29 for the management of the router, 192.168.1.0/24 for the most of the PC, 172.22.81.160/28 for a PC for VPN and wireless)

    -Set up a VPN site-to site between 172.22.81.160 and a remote VPN router to 194.73. ***. ***

    -Transfer all 172.22.81.160 traffic destined to the 195.218 IP only. ***. (cited to me as 195.218.***.***/32) over the site to site VPN

    MBM may be confusing that 195.218. ***. is a public IP address, where I would normally expect a private IP address. This has been checked and confirmed. It's certainly accessible only via the VPN tunnel. So far, everything works as expected, except for the VPN. Cisco diagnosis report that everything is going well except for the tunnel are declining and no traffic going back 195.218. ***. ***

    I have not spotted the error, help appreciated!

    My next step would be to simplify the config by removing unnecessary commands one by one and then check again against examples and manual. Attached config.

    Kind regards

    John

    References:

    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...

    Requirements of VPN:

    IKE Phase 1
    Diffie-Hellman group: 2
    Version of IKE: IKEv1
    IKE Lifetime: 86400
    Aggressive mode: No.
    Encryption: AES 256
    Integrity: SHA2-256
    Authetication method: pre-shared

    IKE Phase 2
    PFS: Yes
    PFS DH group: 2
    Life: 3600
    Encryption: AES 256
    Integrity: SHA2-256

    Good things! Happy that you guessed it sorted.

  • NAT Traversal on site to site VPN pix

    I don't think it's possible to implement NAT traversal between a site to IPSEC VPN using ESP tunnels?

    Our ISP to the remote end will provide only a public IP address and which is attributed to their router...

    Sites are using pre-shared keys and IKE

    for example...

    LAN-PIX1-ISPROUTER-INTERNET-ISPPATROUTER-PIX2-LAN

    I have attached the card encryption for more info

    Thanks in advance...

    I guess that NAT - T is most commonly used in a customer VPN environment, but I'm sure that its not limited to this type of connection.

    I just set up a VPN this morning with the help of a customer on a router running 12.2.15T and tested connection with NAT - T works very well by using IP addresses.

    NAT - T enabled by a NAT detection process, and there is that to protect the ESP of a change should work in both environments.

    I'll have a go in my lab, see if I can implement and check it.

    However by going to the original post, you say that only one address is available from the ISP, it is on the router for pix link?

    Where are the limits of NAT, I expect to be in the PIX, but it must be a public IP address on you interfaces also. You can then use the external address as endpoints IPSec, don't need NAT - T in any case.

  • Site to Site VPN Possible behind routers NAT on both ends?

    Nice day

    After extensive research I have not found an answer so I turn to the community.

    I'm trying to help a friend facility a VPN but it's a scenario that I have not dealt and hope that someone has.

    Here's the basic scheme;

    Site 1 - 172.16.23.0/24

    Site 2 - 172.16.24.0/24

    (Site of ASA 1 - router 172.16.23.5) - Linksys w / static public IP - Internet - Linksys router w / static public IP-(ASA Site 2 - 172.16.24.5)

    Is this possible scenario with port forwarding?  The warnings, I need to watch out for?

    I read that I'll need a route to my ASA, say Site 1 ASA, who said... Route 172.16.24.0 255.255.255.0 1.1.1.1 (point to ASA local public IP).

    I also read I'll need one additional lane in my (site 1) linksys router that says... Route 172.16.24.0 255.255.255.0 172.16.23.5 (point to the local interface of the ASA)

    Thanks for all comments and suggestions.

    A

    Hi Adam,.

    You are right with a port forwarding, you can create an IPSEC tunnel, even if NAT is present on both ends.

    Also, NAT - T is a feature enabled by default on the ASA that automatically detects if the camera is behind a NAT and pass the IPSEC UDP 4500 port. Here is the syntax of the command:

    ASA (config) # crypto isakmp nat-traversal 20

    How NAT - T works

    So, here is a document for your reference build the VPN tunnel:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/119141-configure-ASA-00.html

    About routing, all traffic will go out of the ASA using intellectual property where the card encryption is applied, routing on linkysys devices just take care that this IP is routed Internet and that there is connection between the 2 ASAs.

    It may be useful

    -Randy-

  • NAT and Site to site VPN

    Hi all

    We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

    We have several networks in our local network.

    The VPN tunnel is on a single network: 192.50.175.0 / 24.

    and the network of the other site is:

    192.100.24.0 21

    Part of the configuration:

    inside_nat0_outbound ip 192.50.175.0 access list allow 255.255.255.0 192.100.24.0 255.255.248.0

    NAT (inside) 0-list of access inside_nat0_outbound

    As I said before, we have several networks.

    In particular, we have 192.50.160.0/24 too.

    And we would like that this network can use the VPN tunnel also.

    But the other site does not want to carry our another network in their LAN.

    They suggest we 192.50.160.0 NAT / 24 to an IP address on the 192.50.175.0 / 24, users in a network 192.50.160.0 / 24 can also use the VPN tunnel.

    Do you know if it is possible to do it with my PIX? And how?

    It's a PIX-515-DMZ, v6.3 (5).

    Any help would be appreciated!

    Thank you

    Good point. You can be good then.

  • Site to SIte VPN through a NAT device

    I have, I am having trouble running a vpn site-to site between two 3725 routers running c3725-advsecurityk9-mz124 - 15 T 1, that I hope I can get some help with, I am probably missing something here. The VPN ran very well when both VPN routers were connected directly to the internet and had on WAN interfaces public IP addresses, but I had to move one of the firewall inside on a private IP address. Installation is now as below

    Router VPN one (192.168.248.253) - internal company network - Fortigate FW - internet-(217.155.113.179) router VPN B

    The fortigate FW is doing some translations address
    -traffic between 192.168.248.253 and 217.155.113.179 has its source in 37.205.62.5
    -traffic between 217.155.113.179 and 37.205.62.5 has its destination translated to 192.168.248.253
    -Firewall rules allow all traffic between the 2 devices, no port locking enabled.

    -The 37.205.62.5 address is used by anything else.

    I basically have a GRE tunnel between two routers, and I'm trying to encrypt it.

    The router shows below

    Card crypto SERVER-RTR #show
    "S2S_VPN" 10 ipsec-isakmp crypto map
    Peer = 217.155.113.179
    Expand the access IP 101 list
    access-list 101 permit gre 192.168.248.253 host 217.155.113.179
    Current counterpart: 217.155.113.179
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    STRONG,
    }
    Interfaces using crypto card S2S_VPN:
    FastEthernet0/1

    SERVER-RTR #show crypto sessio
    Current state of the session crypto

    Interface: FastEthernet0/1
    The session state: down
    Peer: 217.155.113.179 port 500
    FLOW IPSEC: allowed 47 192.168.248.253 host 217.155.113.179
    Active sAs: 0, origin: card crypto

    Interface: FastEthernet0/1
    The session state: IDLE-UP
    Peer: 217.155.113.179 port 4500
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive
    IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 inactive

    Router B shows below

    Card crypto BSU - RTR #show
    "S2S_VPN" 10 ipsec-isakmp crypto map
    Peer = 37.205.62.5
    Expand the access IP 101 list
    access-list 101 permit gre 217.155.113.179 host 37.205.62.5
    Current counterpart: 37.205.62.5
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    STRONG,
    }
    Interfaces using crypto card S2S_VPN:
    FastEthernet0/1

    BSU - RTR #show sess crypto
    Current state of the session crypto

    Interface: FastEthernet0/1
    The session state: down
    Peer: 37.205.62.5 port 500
    FLOW IPSEC: allowed 47 217.155.113.179 host 37.205.62.5
    Active sAs: 0, origin: card crypto

    Interface: FastEthernet0/1
    The session state: IDLE-UP
    Peer: 37.205.62.5 port 4500
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive
    IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 inactive

    I can see counters incrementing on the ACL on both routers, so I don't know the traffic free WILL is interesting.

    Here are a few debugs too
    --------------
    Router

    Debug crypto ISAKMP

    * 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 940426884
    * 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node 1837874301
    * 23:07:10.898 Mar 2: ISAKMP: (1024): purge the node-475409474
    * 23:07:20.794 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet dport 500 sport 500 SA NEW Global (N)
    * 23:07:20.794 Mar 2: ISAKMP: created a struct peer 217.155.113.179, peer port 500
    * 23:07:20.794 Mar 2: ISAKMP: new position created post = 0x64960C04 peer_handle = 0x80000F0E
    * 23:07:20.794 Mar 2: ISAKMP: lock struct 0x64960C04, refcount 1 to peer crypto_isakmp_process_block
    * 23:07:20.794 Mar 2: ISAKMP: 500 local port, remote port 500
    * 23:07:20.794 Mar 2: ISAKMP: find a dup her to the tree during the isadb_insert his 6464D3F0 = call BVA
    * 23:07:20.794 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 23:07:20.794 Mar 2: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1

    * 2 Mar 23:07:20.794: ISAKMP: (0): treatment ITS payload. Message ID = 0
    * 2 Mar 23:07:20.794: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.794: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
    * 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
    * 23:07:20.798 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
    * 2 Mar 23:07:20.798: ISAKMP: (0): pre-shared key local found
    * 23:07:20.798 Mar 2: ISAKMP: analysis of the profiles for xauth...
    * 23:07:20.798 Mar 2: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    * 23:07:20.798 Mar 2: ISAKMP: DES-CBC encryption
    * 23:07:20.798 Mar 2: ISAKMP: SHA hash
    * 23:07:20.798 Mar 2: ISAKMP: default group 1
    * 23:07:20.798 Mar 2: ISAKMP: pre-shared key auth
    * 23:07:20.798 Mar 2: ISAKMP: type of life in seconds
    * 23:07:20.798 Mar 2: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
    * 23:07:20.798 Mar 2: ISAKMP: (0): atts are acceptable. Next payload is 0
    * 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts: real life: 0
    * 23:07:20.798 Mar 2: ISAKMP: (0): Acceptable atts:life: 0
    * 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his vpi_length:4
    * 23:07:20.798 Mar 2: ISAKMP: (0): fill atts in his life_in_seconds:86400
    * 23:07:20.798 Mar 2: ISAKMP: (0): return real life: 86400
    * 23:07:20.798 Mar 2: ISAKMP: (0): timer life Started: 86400.

    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T RFC 3947
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
    * 23:07:20.798 Mar 2: ISAKMP (0:0): provider ID is NAT - T v7
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v3
    * 2 Mar 23:07:20.798: ISAKMP: (0): load useful vendor id of treatment
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    * 2 Mar 23:07:20.798: ISAKMP: (0): provider ID is NAT - T v2
    * 23:07:20.798 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 23:07:20.798 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

    * 2 Mar 23:07:20.802: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 2 Mar 23:07:20.802: ISAKMP: (0): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
    * 23:07:20.802 Mar 2: ISAKMP: (0): sending a packet IPv4 IKE.
    * 23:07:20.802 Mar 2: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 23:07:20.802 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

    * 23:07:20.822 Mar 2: ISAKMP (0:0): received 217.155.113.179 packet 500 Global 500 (R) sport dport MM_SA_SETUP
    * 23:07:20.822 Mar 2: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 23:07:20.822 Mar 2: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

    * 2 Mar 23:07:20.822: ISAKMP: (0): processing KE payload. Message ID = 0
    * 2 Mar 23:07:20.850: ISAKMP: (0): processing NONCE payload. Message ID = 0
    * 23:07:20.854 Mar 2: ISAKMP: (0): pair found pre-shared key matching 217.155.113.179
    * 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
    * 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is the unit
    * 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
    * 2 Mar 23:07:20.854: ISAKMP: (1027): provider ID is DPD
    * 2 Mar 23:07:20.854: ISAKMP: (1027): load useful vendor id of treatment
    * 2 Mar 23:07:20.854: ISAKMP: (1027): addressing another box of IOS!
    * 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
    * 23:07:20.854 Mar 2: ISAKMP (0:1027): NAT found, the node inside the NAT
    * 23:07:20.854 Mar 2: ISAKMP: receives the payload type 20
    * 23:07:20.854 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 23:07:20.854 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM3

    * 2 Mar 23:07:20.854: ISAKMP: (1027): lot of 217.155.113.179 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
    * 23:07:20.854 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
    * 23:07:20.858 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 23:07:20.858 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM3 = IKE_R_MM4

    * 23:07:20.898 Mar 2: ISAKMP: (1024): serving SA., his is 64D5723C, delme is 64D5723C
    * 23:07:20.902 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
    * 23:07:20.902 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 23:07:20.902 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM4 = IKE_R_MM5

    * 2 Mar 23:07:20.902: ISAKMP: (1027): payload ID for treatment. Message ID = 0
    * 23:07:20.902 Mar 2: ISAKMP (0:1027): payload ID
    next payload: 8
    type: 1
    address: 217.155.113.179
    Protocol: 17
    Port: 0
    Length: 12
    * 2 Mar 23:07:20.902: ISAKMP: (0): peer games * no * profiles
    * 2 Mar 23:07:20.906: ISAKMP: (1027): HASH payload processing. Message ID = 0
    * 2 Mar 23:07:20.906: ISAKMP: (1027): treatment protocol NOTIFIER INITIAL_CONTACT 1
    SPI 0, message ID = 0, a = 6464D3F0
    * 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
    authenticated
    * 23:07:20.906 Mar 2: ISAKMP: (1027): SA has been authenticated with 217.155.113.179
    * 23:07:20.906 Mar 2: ISAKMP: (1027): port detected floating port = 4500
    * 23:07:20.906 Mar 2: ISAKMP: try to find found and existing peer 192.168.248.253/217.155.113.179/4500/ peer 648EAD00 to reuse existing, free 64960 04
    * 23:07:20.906 Mar 2: ISAKMP: Unlocking counterpart struct 0x64960C04 Reuse existing peer count 0
    * 23:07:20.906 Mar 2: ISAKMP: delete peer node by peer_reap for 217.155.113.179: 64960 04
    * 23:07:20.906 Mar 2: ISAKMP: lock struct 0x648EAD00, refcount 2 for peer peer reuse existing
    * 23:07:20.906 Mar 2: ISAKMP: (1027): SA authentication status:
    authenticated
    * 2 Mar 23:07:20.906: ISAKMP: (1027): process of first contact.
    lowering existing phase 1 and 2 with local 192.168.248.253 217.155.113.179 remote remote port 4500
    * 23:07:20.906 Mar 2: ISAKMP: (1026): received first contact, delete SA
    * 23:07:20.906 Mar 2: ISAKMP: (1026): peer does not paranoid KeepAlive.

    * 23:07:20.906 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
    * 23:07:20.906 Mar 2: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
    * 23:07:20.906 Mar 2: ISAKMP: (1027): UDP ENC parameter counterpart struct 0x0 his = 0x6464D3F0
    * 23:07:20.906 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 23:07:20.906 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_R_MM5

    * 23:07:20.910 Mar 2: ISAKMP: node set-98987637 to QM_IDLE
    * 2 Mar 23:07:20.910: ISAKMP: (1026): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
    * 23:07:20.910 Mar 2: ISAKMP: (1026): sending a packet IPv4 IKE.
    * 23:07:20.910 Mar 2: ISAKMP: (1026): purge the node-98987637
    * 23:07:20.910 Mar 2: ISAKMP: (1026): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 23:07:20.910 Mar 2: ISAKMP: (1026): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

    * 23:07:20.910 Mar 2: ISAKMP: (1027): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    * 23:07:20.910 Mar 2: ISAKMP (0:1027): payload ID
    next payload: 8
    type: 1
    address: 192.168.248.253
    Protocol: 17
    Port: 0
    Length: 12
    * 23:07:20.910 Mar 2: ISAKMP: (1027): the total payload length: 12
    * 2 Mar 23:07:20.914: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
    * 23:07:20.914 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
    * 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

    * 23:07:20.914 Mar 2: ISAKMP: (1026): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 217.155.113.179)
    * 23:07:20.914 Mar 2: ISAKMP: Unlocking counterpart struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
    * 23:07:20.914 Mar 2: ISAKMP: (1026): error suppression node 334747020 FALSE reason 'IKE deleted.
    * 23:07:20.914 Mar 2: ISAKMP: (1026): node-1580729900 error suppression FALSE reason 'IKE deleted.
    * 23:07:20.914 Mar 2: ISAKMP: (1026): node-893929227 error suppression FALSE reason 'IKE deleted.
    * 23:07:20.914 Mar 2: ISAKMP: (1026): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 23:07:20.914 Mar 2: ISAKMP: (1026): former State = new State IKE_DEST_SA = IKE_DEST_SA

    * 23:07:20.914 Mar 2: ISAKMP: (1027): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    * 23:07:20.914 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    * 23:07:20.930 Mar 2: ISAKMP (0:1026): received 217.155.113.179 packet dport 4500 4500 Global (R) MM_NO_STATE sport
    * 23:07:20.934 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
    * 23:07:20.934 Mar 2: ISAKMP: node set 1860263019 to QM_IDLE
    * 2 Mar 23:07:20.934: ISAKMP: (1027): HASH payload processing. Message ID = 1860263019
    * 2 Mar 23:07:20.934: ISAKMP: (1027): treatment ITS payload. Message ID = 1860263019
    * 23:07:20.934 Mar 2: ISAKMP: (1027): proposal of IPSec checking 1
    * 23:07:20.934 Mar 2: ISAKMP: turn 1, ESP_AES
    * 23:07:20.934 Mar 2: ISAKMP: attributes of transformation:
    * 23:07:20.934 Mar 2: ISAKMP: program is 3 (Tunnel-UDP)
    * 23:07:20.934 Mar 2: ISAKMP: type of life in seconds
    * 23:07:20.934 Mar 2: ISAKMP: life of HIS (basic) 3600
    * 23:07:20.934 Mar 2: ISAKMP: type of life in kilobytes
    * 23:07:20.934 Mar 2: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
    * 23:07:20.934 Mar 2: ISAKMP: key length is 128
    * 23:07:20.934 Mar 2: ISAKMP: (1027): atts are acceptable.
    * 2 Mar 23:07:20.934: ISAKMP: (1027): IPSec policy invalidated proposal with error 32
    * 2 Mar 23:07:20.934: ISAKMP: (1027): politics of ITS phase 2 is not acceptable! (local 192.168.248.253 remote 217.155.113.179)
    * 23:07:20.938 Mar 2: ISAKMP: node set 1961554007 to QM_IDLE
    * 23:07:20.938 Mar 2: ISAKMP: (1027): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
    SPI 1688526152, message ID = 1961554007
    * 2 Mar 23:07:20.938: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
    * 23:07:20.938 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
    * 23:07:20.938 Mar 2: ISAKMP: (1027): purge the node 1961554007
    * 23:07:20.938 Mar 2: ISAKMP: (1027): error suppression node 1860263019 REAL reason "QM rejected."
    * 23:07:20.938 Mar 2: ISAKMP: (1027): entrance, node 1860263019 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    * 23:07:20.938 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_READY
    * 23:07:24.510 Mar 2: ISAKMP: set new node 0 to QM_IDLE
    * 2 Mar 23:07:24.510: ITS a exceptional applications (100.100.213.56 local port 4500, 100.100.213.84 remote port 4500)
    * 2 Mar 23:07:24.510: ISAKMP: (1027): sitting IDLE. From QM immediately (QM_IDLE)
    * 23:07:24.510 Mar 2: ISAKMP: (1027): start Quick Mode Exchange, M - ID 670698820
    * 23:07:24.510 Mar 2: ISAKMP: (1027): initiator QM gets spi
    * 2 Mar 23:07:24.510: ISAKMP: (1027): lot of 217.155.113.179 sending peer_port my_port 4500 4500 (R) QM_IDLE
    * 23:07:24.510 Mar 2: ISAKMP: (1027): sending a packet IPv4 IKE.
    * 23:07:24.514 Mar 2: ISAKMP: (1027): entrance, node 670698820 = IKE_MESG_INTERNAL, IKE_INIT_QM
    * 23:07:24.514 Mar 2: ISAKMP: (1027): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    * 23:07:24.530 Mar 2: ISAKMP (0:1027): received 217.155.113.179 packet dport 4500 4500 Global (R) QM_IDLE sport
    * 23:07:24.534 Mar 2: ISAKMP: node set 1318257670 to QM_IDLE
    * 2 Mar 23:07:24.534: ISAKMP: (1027): HASH payload processing. Message ID = 1318257670
    * 2 Mar 23:07:24.534: ISAKMP: (1027): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
    SPI 3268378219, message ID = 1318257670, a = 6464D3F0
    * 2 Mar 23:07:24.534: ISAKMP: (1027): removal of spi 3268378219 message ID = 670698820
    * 23:07:24.534 Mar 2: ISAKMP: (1027): node 670698820 REAL reason error suppression "remove larval.
    * 23:07:24.534 Mar 2: ISAKMP: (1027): error suppression node 1318257670 FALSE reason 'informational (en) State 1.
    * 23:07:24.534 Mar 2: ISAKMP: (1027): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    * 23:07:24.534 Mar 2: ISAKMP: (1027): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    * 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-238086324
    * 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-1899972726
    * 23:07:40.898 Mar 2: ISAKMP: (1025): purge the node-321906720

    Router B
    ----------
    Debug crypto ISAKMP

    1d23h: ISAKMP: (0): profile of THE request is (NULL)
    1d23h: ISAKMP: created a struct peer 37.205.62.5, peer port 500
    1d23h: ISAKMP: new position created post = 0x652C3B54 peer_handle = 0x80000D8C
    1d23h: ISAKMP: lock struct 0x652C3B54, refcount 1 to peer isakmp_initiator
    1d23h: ISAKMP: 500 local port, remote port 500
    1d23h: ISAKMP: set new node 0 to QM_IDLE
    1d23h: ISAKMP: find a dup her to the tree during the isadb_insert his 652CBDC4 = call BVA
    1d23h: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
    1d23h: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    1d23h: ISAKMP: (0): built the seller-07 ID NAT - t
    1d23h: ISAKMP: (0): built of NAT - T of the seller-03 ID
    1d23h: ISAKMP: (0): built the seller-02 ID NAT - t
    1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    1d23h: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

    1d23h: ISAKMP: (0): Beginner Main Mode Exchange
    1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_NO_STATE
    1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
    1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_NO_STATE
    1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

    1d23h: ISAKMP: (0): treatment ITS payload. Message ID = 0
    1d23h: ISAKMP: (0): load useful vendor id of treatment
    1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
    1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
    1d23h: ISAKMP: (0): pre-shared key local found
    1d23h: ISAKMP: analysis of the profiles for xauth...
    1d23h: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    1d23h: ISAKMP: DES-CBC encryption
    1d23h: ISAKMP: SHA hash
    1d23h: ISAKMP: default group 1
    1d23h: ISAKMP: pre-shared key auth
    1d23h: ISAKMP: type of life in seconds
    1d23h: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
    1d23h: ISAKMP: (0): atts are acceptable. Next payload is 0
    1d23h: ISAKMP: (0): Acceptable atts: real life: 0
    1d23h: ISAKMP: (0): Acceptable atts:life: 0
    1d23h: ISAKMP: (0): fill atts in his vpi_length:4
    1d23h: ISAKMP: (0): fill atts in his life_in_seconds:86400
    1d23h: ISAKMP: (0): return real life: 86400
    1d23h: ISAKMP: (0): timer life Started: 86400.

    1d23h: ISAKMP: (0): load useful vendor id of treatment
    1d23h: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    1d23h: ISAKMP (0:0): provider ID is NAT - T RFC 3947
    1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

    1d23h: ISAKMP: (0): lot of 37.205.62.5 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
    1d23h: ISAKMP: (0): sending a packet IPv4 IKE.
    1d23h: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

    1d23h: ISAKMP (0:0): received 37.205.62.5 packet dport 500 sport Global 500 (I) MM_SA_SETUP
    1d23h: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

    1d23h: ISAKMP: (0): processing KE payload. Message ID = 0
    1d23h: ISAKMP: (0): processing NONCE payload. Message ID = 0
    1d23h: ISAKMP: (0): pair found pre-shared key matching 37.205.62.5
    1d23h: ISAKMP: (1034): load useful vendor id of treatment
    1d23h: ISAKMP: (1034): provider ID is the unit
    1d23h: ISAKMP: (1034): load useful vendor id of treatment
    1d23h: ISAKMP: (1034): provider ID is DPD
    1d23h: ISAKMP: (1034): load useful vendor id of treatment
    1d23h: ISAKMP: (1034): addressing another box of IOS!
    1d23h: ISAKMP: receives the payload type 20
    1d23h: ISAKMP: receives the payload type 20
    1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
    1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM4

    1d23h: ISAKMP: (1034): send initial contact
    1d23h: ISAKMP: (1034): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    1d23h: ISAKMP (0:1034): payload ID
    next payload: 8
    type: 1
    address: 217.155.113.179
    Protocol: 17
    Port: 0
    Length: 12
    1d23h: ISAKMP: (1034): the total payload length: 12
    1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) MM_KEY_EXCH
    1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
    1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP: (1034): former State = new State IKE_I_MM4 = IKE_I_MM5

    1d23h: ISAKMP: (1031): serving SA., his is 652D60C8, delme is 652D60C8
    1d23h: ISAKMP (0:1033): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
    1d23h: ISAKMP: node set 33481563 to QM_IDLE
    1d23h: ISAKMP: (1033): HASH payload processing. Message ID = 33481563
    1d23h: ISAKMP: receives the payload type 18
    1d23h: ISAKMP: (1033): treatment remove with load useful reason
    1d23h: ISAKMP: (1033): remove the doi = 1
    1d23h: ISAKMP: (1033): remove Protocol id = 1
    1d23h: ISAKMP: (1033): remove spi_size = 16
    1d23h: ISAKMP: (1033): remove the spis num = 1
    1d23h: ISAKMP: (1033): delete_reason = 11
    1d23h: ISAKMP: (1033): load DELETE_WITH_REASON, processing of message ID = 33481563, reason: Unknown delete reason!
    1d23h: ISAKMP: (1033): peer does not paranoid KeepAlive.

    1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
    1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'informational (en) State 1.
    1d23h: ISAKMP: node set 1618266182 to QM_IDLE
    1d23h: ISAKMP: (1033): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
    1d23h: ISAKMP: (1033): sending a packet IPv4 IKE.
    1d23h: ISAKMP: (1033): purge the node 1618266182
    1d23h: ISAKMP: (1033): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    1d23h: ISAKMP: (1033): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

    1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) MM_KEY_EXCH
    1d23h: ISAKMP: (1034): payload ID for treatment. Message ID = 0
    1d23h: ISAKMP (0:1034): payload ID
    next payload: 8
    type: 1
    address: 192.168.248.253
    Protocol: 17
    Port: 0
    Length: 12
    1d23h: ISAKMP: (0): peer games * no * profiles
    1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 0
    1d23h: ISAKMP: (1034): SA authentication status:
    authenticated
    1d23h: ISAKMP: (1034): SA has been authenticated with 37.205.62.5
    1d23h: ISAKMP: try to insert a 217.155.113.179/37.205.62.5/4500/ peer and found existing in a 643BCA10 to reuse, free 652C3B54
    1d23h: ISAKMP: Unlocking counterpart struct 0x652C3B54 Reuse existing peer count 0
    1d23h: ISAKMP: delete peer node by peer_reap for 37.205.62.5: 652C3B54
    1d23h: ISAKMP: lock struct 0x643BCA10, refcount 2 for peer peer reuse existing
    1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP: (1034): former State = new State IKE_I_MM5 = IKE_I_MM6

    1d23h: ISAKMP: (1033): deletion of 'Initial of receive Contact' State HIS reason (I) QM_IDLE (post 37.205.62.5)
    1d23h: ISAKMP: (0): cannot decrement IKE Call Admission Control outgoing_active stat because he's already 0.
    1d23h: ISAKMP: Unlocking counterpart struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
    1d23h: ISAKMP: (1033): error suppression node 1267924911 FALSE reason 'IKE deleted.
    1d23h: ISAKMP: (1033): error suppression node 1074093103 FALSE reason 'IKE deleted.
    1d23h: ISAKMP: (1033): node-183194519 error suppression FALSE reason 'IKE deleted.
    1d23h: ISAKMP: (1033): error suppression node 33481563 FALSE reason 'IKE deleted.
    1d23h: ISAKMP: (1033): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    1d23h: ISAKMP: (1033): former State = new State IKE_DEST_SA = IKE_DEST_SA

    1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_I_MM6

    1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    1d23h: ISAKMP: (1034): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

    1d23h: ISAKMP: (1034): start Quick Mode Exchange, M - ID 1297417008
    1d23h: ISAKMP: (1034): initiator QM gets spi
    1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
    1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
    1d23h: ISAKMP: (1034): entrance, node 1297417008 = IKE_MESG_INTERNAL, IKE_INIT_QM
    1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    1d23h: ISAKMP: (1034): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
    1d23h: ISAKMP: node set-874376893 to QM_IDLE
    1d23h: ISAKMP: (1034): HASH payload processing. Message ID =-874376893
    1d23h: ISAKMP: (1034): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
    SPI 56853244, message ID =-874376893, his 652CBDC4 =
    1d23h: ISAKMP: (1034): removal of spi 56853244 message ID = 1297417008
    1d23h: ISAKMP: (1034): node 1297417008 REAL reason error suppression "remove larval.
    1d23h: ISAKMP: (1034): node-874376893 error suppression FALSE reason 'informational (en) State 1.
    1d23h: ISAKMP: (1034): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    1d23h: ISAKMP: (1034): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

    1d23h: ISAKMP (0:1034): received 37.205.62.5 packet dport 4500 sport Global 4500 (I) QM_IDLE
    1d23h: ISAKMP: node set 439453045 to QM_IDLE
    1d23h: ISAKMP: (1034): HASH payload processing. Message ID = 439453045
    1d23h: ISAKMP: (1034): treatment ITS payload. Message ID = 439453045
    1d23h: ISAKMP: (1034): proposal of IPSec checking 1
    1d23h: ISAKMP: turn 1, ESP_AES
    1d23h: ISAKMP: attributes of transformation:
    1d23h: ISAKMP: program is 3 (Tunnel-UDP)
    1d23h: ISAKMP: type of life in seconds
    1d23h: ISAKMP: life of HIS (basic) 3600
    1d23h: ISAKMP: type of life in kilobytes
    1d23h: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
    1d23h: ISAKMP: key length is 128
    1d23h: ISAKMP: (1034): atts are acceptable.
    1d23h: ISAKMP: (1034): IPSec policy invalidated proposal with error 32
    1d23h: ISAKMP: (1034): politics of ITS phase 2 is not acceptable! (local 217.155.113.179 remote 37.205.62.5)
    1d23h: ISAKMP: node set 1494356901 to QM_IDLE
    1d23h: ISAKMP: (1034): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 3
    SPI 1687353736, message ID = 1494356901
    1d23h: ISAKMP: (1034): lot of 37.205.62.5 sending peer_port my_port 4500 4500 (I) QM_IDLE
    1d23h: ISAKMP: (1034): sending a packet IPv4 IKE.
    1d23h: ISAKMP: (1034): purge the node 1494356901
    1d23h: ISAKMP: (1034): error suppression node 439453045 REAL reason "QM rejected."
    1d23h: ISAKMP: (1034): entrance, node 439453045 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    1d23h: ISAKMP: (1034): former State = new State IKE_QM_READY = IKE_QM_READY
    1d23h: ISAKMP: (1032): purge the node 1513722556
    1d23h: ISAKMP: (1032): purge the node-643121396
    1d23h: ISAKMP: (1032): purge the node 1350014243
    1d23h: ISAKMP: (1032): purge the node 83247347

    Hi Nav,

    I'm happy it's working now. Your interpretation is correct. Transport mode IPSEC encrypts the payload, while tunnel mode figure the whole ip packet (original header / payload) and inserts a new ip header. Thus, the tunnel mode is used for ipsec site to site VPN and transport is used for point to point VPN ipsec. GRE is used with ipsec, all packages will be encapsulated with a GRE header first, so, essentially, this is a point to point VPN ipsec.

    The problem that you are having with tunnel mode, the router's package is going to be wrapped with the header 192.168.248.253 GRE source 217.155.113.179 destination. The whole package is then encrypted and a new header is added with the same source/destination. This new header will be coordinated by the FW, but not incorporated or encrypted GRE header. When the packet arrives at Router B, after decrypt them the package, router B will see the GRE header, which is different from that of source/destination tunnel she uses. This breaks the GRE tunnel and the routing between router A and router B Protocol.

    HTH,

    Lei Tian

  • Order of operations NAT on Site to Site VPN Cisco ASA

    Hello

    I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:

    Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.

    But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    tunnel-group 100.1.1.1 type ipsec-l2l

    tunnel-group 100.1.1.1 General-attributes

    Group Policy - by default-PHX_HK

    IPSec-attributes tunnel-group 100.1.1.1

    pre-shared key *.

    internal PHX_HK group policy

    PHX_HK group policy attributes

    VPN-filter no

    Protocol-tunnel-VPN IPSec svc webvpn

    card crypto inside_map 50 match address outside_cryptomap_50

    peer set card crypto inside_map 50 100.1.1.1

    inside_map crypto 50 card value transform-set ESP-3DES-SHA

    inside_map crypto 50 card value reverse-road

    the PHX_Local object-group network

    host of the object-Network 31.10.11.10

    host of the object-Network 31.10.11.11

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    the HK_Remote object-group network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local

    outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote

    Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1

    public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255

    public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255

    public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255

    public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255

    He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:

    the PHX_Local1 object-group network

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote

    inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote

    Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.

    Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.

    Thank you

    Kind regards

    Thomas

    Hello

    I think you could have said the original question in a way that could be missleading. In other words, if I understand now.

    From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.

    Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.

    If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.

    Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.

    You have these guests who were not able to use the VPN L2L

    31.10.10.10 10.17.128.20

    31.10.10.11 10.17.128.21

    31.10.10.12 10.17.128.22

    31.10.10.13 10.17.128.23

    IF you want them to go to the VPN L2L with their original IP address then you must configure

    object-group, LAN

    host of the object-Network 10.17.128.20

    host of the object-Network 10.17.128.21

    host of the object-Network 10.17.128.22

    host of the object-Network 10.17.128.23

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    IF you want to use the L2L VPN with the public IP address, then you must configure

    object-group, LAN

    host of the object-Network 31.10.10.10

    host of the object-Network 31.10.10.11

    host of the object-Network 31.10.10.12

    host of the object-Network 31.10.10.13

    object-group, REMOTE network

    host of the object-Network 102.1.1.10

    outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote

    EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.

    Or you can of course use the same "object-group" as currently but change the content in an appropriate manner

    Be sure to mark it as answered if it was answered.

    Ask more if necessary

    -Jouni

  • Site to Site VPN NAT conflicts

    I have a site to site vpn between my main office and an office.  Traffic between flow correctly with the exception of some protocols.  My main router has static NAT configured for port 25 and a few others.  For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

    either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

    It's like my list of NAT is excluding the static entries that follow.  I have posted below the configs.  Any help would be appreciated.

    Main office: 2811

    Branch: 1841

    Two routers connected to the internet.  VPN site to Site between them with the following config

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    isakmp encryption key * address *. ***. * *.116

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

    !

    map VPN-map 10 ipsec-isakmp crypto

    set peer *. ***. * *.116

    game of transformation-VPN-TS

    match address VPN-TRAFFIC

    I have two IP addresses on the router principal.122 et.123

    There is an installer from the list of the deny on the two routers - that's the main:

    overload of IP nat inside source list 100 interface FastEthernet0/0

    access-list 100 remark = [Service NAT] =-

    access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

    access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

    access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

    To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

    IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

    Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

    Sth like this

    STATIC_NAT extended IP access list

    deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

    allow the ip 172.16.1.1 host a

    policy-NAT route map

    corresponds to the IP STATIC_NAT

    IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • You try to run a Site to site VPN and remote VPN from the same IP remotely

    We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

    Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

    My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

    Hi John,.

    Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

    CSCuc75090  Details of bug

    The crypto IPSec Security Association are created by dynamic crypto map to static peers

    Symptom:

    When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

    Conditions:

    It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

    The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

    Workaround solution:

    N/A

    Some possible workarounds are:

    Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

    Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

    Below some information:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

    Hope this helps,

    Luis.

Maybe you are looking for

  • Satellite Pro 4360 - SSD boot via Cardbus (PCMCIA) possible?

    Hi all I have an old 4360 SP.Anyone know if an upgrade of BIOS 2.70 will allow me to boot from SSD inserted into the Cardbus pc card slot?Just knowing the Bios will only recognize DVDs, HARD drive and FLOPPY drive as boot devices. Second question:I h

  • AC analytical problems

    I created a CD4007UBE NMOS transistor using a virtual enhancement mode 4 terminal mosfet of Multisim. To test whether the imported model was OK, I designed the circuit and the DC, transient, and AC analysis compared to simulations conducted in Mircro

  • How to control (or know) the speed of iteration of While loops?

    Hello world! Currently, I am implementing a 2 bit counter in LabVIEW. Fortunately, I was able to find examples on the forums of NOR. Yet, in real life, speed of the ILO 2 counters are controlled by a clock switching frequency to produce different out

  • I tried updating MSN and it fails every time!

    MSN messenger update and the update does not have 50 times or more, have tried to look through AID to find a live person to help with this.  VERY FRUSTRATED that MSN Messenger does not work and I get no help through the search through the many window

  • Setup.pl running on the host with no existing data storage

    I have a new environment, I'll put up: Dell Vmware 5.0 guest (s) and a 10 Gb Equallogic SAN PS61xx I am the great Dell documentation and want to run setup.pl to configure my Vmware Vswitches, then install the DellMultipathing (MEM) I installed Vspher